Smart card deployment: How to know if it's smart for your enterprise

In essence, smart cards resemble mini-computers, but they don't do any computing or process applications. Their sole purpose is to authenticate users. They come in many varieties and can be read either by direct insertion into a reader, or via a contactless systems, simply by wiping them across a card reader.

But for all the convenience they provide, smart card installation and deployment requires a considerable investment in software, hardware and IT staff time. Below we'll offer a brief primer on how to determine whether a smart card deployment makes sense for your company, how to plan an installation and how to pick a smart card vendor.

Smart cards and risk analysis
The first step is to conduct a thorough risk analysis of the systems that will be protected with smart cards. Because of the effort involved with deploying smart cards, they should only be considered for protecting systems hosting high-risk data, such as customer identity information, company plans, intellectual property, etc., or data that might require at least two-factor authentication for regulatory compliance. Anything less is overkill.

Smart cards also make sense for merging physical and logical security, similar to the Federal government's HSPD-12 initiative, which requires a single credential for accessing both secured facilities themselves, and computer systems once users walk through the door.

A word of caution: think twice before giving customers smart cards for external application access. The least of your concerns will be customer acceptance. When working with a large customer base,, the cost of issuing, distributing and maintaining smart cards will likely be prohibitive.

After con

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Smart card data and logistics
Once the security requirements are established, it's time to decide what information the smart cards will store. The beauty of smart cards is their adaptability; almost anything can be loaded onto a card, but the drawback is deciding what. Some organizations include only enough information to verify identity and encryption algorithms and keys, but smart cards can also be used for processing electronic payments or verifying digital signatures. Cards can also hold other identifying credentials like an employee's photo or even fingerprints, incorporating elements of biometric identification. But remember, a smart card can only pack so much information; don't overload it.

Closely related to deciding what goes on the card is deciding how to load it. Smart cards come in two versions: reloadable and disposable. Disposable cards may be cheaper, but reloadable ones can be more practical. Reloadable cards can be reused, saving the administrative the hassle of having to manage the issuing of new cards. Business and security requirements will drive this decision.

The next issue is the logistics of issuing, distributing, maintaining and replacing cards. Unlike a user ID and password, which is a virtual credential added by a system administrator on a directory server, a smart card is a physical object that needs to be handled and maintained. Any vendor under consideration should be able to issue equipment easily and as quickly as needed. Consider these questions:

Also think about how the cards will mesh with existing corporate infrastructure, including desktops and networks. For example, some card readers require USB ports. Will that fit in with your desktops, or have USB ports been disabled? They'll also need to work with corporate authentication directory services, like Active Directory, let alone network infrastructure, servers and other system applications.

Some other things to think about when considering smart cards are their cultural fit within a company. Make sure to get buy-in from key stakeholders -- executives, staff who will use the cards and affected departments like IT and human resources. Cards should be easy to use, not a hassle that staff will resist. One way to get around this is to conduct staged deployments. If the first group is happy, word will spread, making the next phase of the implementation easier.

Conclusion
Smart cards can make authentication systems incredibly efficient. But careful planning of every stage of the deployment -- from product selection and logistics, to staff acceptance and user requirements -- is essential to make the investment pay off.

About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security and is the author of The Little Black Book of Computer Security available from Amazon. He also has regular radio show on WIIT in Chicago on computer security and runs The IT Security Guy blog at http://www.theitsecurityguy.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Samurai offers pen-testing nirvana Firewall rule management best practices Chained Exploits: How to prevent phishing attacks from corporate spies Rootkit Hunter demo: Detect and remove Linux rootkits Enterprise UTM security: The best threat management solution? Making the case for network security configuration management An inside look at security log management forensics investigations How to find sensitive information on the endpoint How to perform Microsoft Baseline Security Analyzer (MBSA) scans How to spot attacks through Apache Web server log analysis Security Token and Smart Card Technology Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Hackers can target embedded smart card chips What should an enterprise look for in a password token and a vendor? Are smart cards insecure if Mifare Classic RFID encryption is cracked? What are good features to look for in access control software? Secure Computing SafeWord 2008 product review RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.